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Abstract 

A method is given to detect the presence of eavesdroppers when a noisy message is 
sent to a privileged receiver. A proof of the effectiveness if this method is demonstrated, 
and a comparison is made to other quantum cryptographic tasks. 



1 Introductory Remarks 

The aim of this work is to introduce a method for accomplishing the following crypto- 
graphic task: the transmission of a message from its sender to a privileged receiver so 
that the receiver can detect the presence of any eavesdroppers during the transmission. 
Specifically, this method provides the receiver with a confirmation that no eavesdroppers 
were present provided that this is indeed the case and also provided that there was a 
small enough amount of noise present in the channel they were using to communicate. 
In other words, an eavesdropper will be indistinguishable from noise, but the absence of 
any eavesdropping and noise below a certain threshold will allow the message receiver 
to have confidence that the message that was just transferred had not been exposed to 
anyone other than himself. 

It is important to emphasize that this method does not prevent any third parties from 
gaining access to the message. Indeed, it should be clearly understood that messages 
sent using this method can be read by an eavesdropper (we describe the most effective 
technique for doing so below). However, any such activity will be detectable by the 
message receiver, as we shall demonstrate. 

This manuscript is organized as follows: In the next section, the method for achieving 
the cryptographic goal just described is explained. Following this, we give a mathematical 
proof that this method allows the message receiver to determine if a message has not 
been exposed to any eavesdroppers. In the final section we compare this cryptographic 
task to other cryptographic activities. 



Table 1: Each shot, Alice makes one of the following eight announcements. 



Bit- Announcements 



Result- Announcements 



(Xi a = 

<j\ a = 1 

(73 a = 

CT3 a = 1 



(Tl TO = +1 

(Tl TO = — 1 

(73 TO = +1 

(73 TO = — 1 



2 Description of the Protocol 



The protocol involves a message sender, named Alice, trying to get a message bit b (whose 
value can be zero or one) to a receiver, called Bob. Longer messages will be built up by 
sending a sequence of message bits. The entire process is initiated by Alice announcing 
that she has a message bit she wants to communicate to Bob. Then a routine is repeated 
many times. Each repetition is referred to as a single shot and proceeds as follows. 

Bob starts the routine by preparing some physical system, which we refer to as a 
particle, in one of four quantum states represented by density matrices po = |0)(0|, 
pi = p+ = |+}(+|, and p- = — )(— j. Here we have used the standard notation 

for a qubit Hilbert space that is spanned by orthonormal basis vectors |0) and |1), and 
|±) = (|0) ± \ l))/V2. Bob employs a randomized method of preparation so that he is 
equally likely to prepare the particle in any of these four states. Bob records which state 
he has prepared and sends the particle to Alice. 

Upon receipt of the particle, Alice makes one of two measurements: with probability 
one-half she makes a measurement corresponding to ai = |+}(+| — — ) ( — | , and with 
probability one-half she makes a measurement corresponding to (73 = |0}(0| — 
Alice records her measurement result as m (which will be +1 or —1) and announces 
whether her measurement corresponded to o\ or (73. 

Then Alice makes a second announcement. With probability p a she announces the 
classical bit a which is determined from the message bit b and the measurement result 
m using 



which we refer to as a bit-announcement. Or else, (with probability [1— p a \) she announces 
the value of m, which we refer to as a result- announcement. This completes the routine 
for a single shot. 

This routine must be repeated N times to accomplish the goal of conveying the value 
of the message bit b to Bob while giving him the opportunity to determine if he has 
been the only person to whom this message bit has been conveyed. For the purpose 
of simplicity of the analysis, we assume that the value of N has been agreed upon 
beforehand between Alice and Bob. (It is straightforward to extend the analysis shown 
here to a situation in which Alice and Bob keep repeating shots until some well-defined 
goal has been achieved.) Furthermore, we assume that the value of p a has been agreed 
upon beforehand as well. The criteria for the choice of these two parameters is discussed 
below. 

Each time that Alice makes a bit-announcement, Bob has a chance to determine the 
value of b. (As we shall see shortly, each bit-announcement also gives an eavesdropper an 
opportunity to infer the value of b.) When Bob has prepared the particle in an eigenstate 
of the measurement operator corresponding to the measurement that Alice performs, we 
say that they have a matching basis. In such a case, Bob can use his conjectured value 
of m (based on his knowledge of the state he prepared and the measurement made by 




mod 2 , 



(1) 
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Alice) along with the equation 



a H — j mod 2 (2) 

to determine the value of b. On any given shot, the probability that Bob and Alice have a 
matching basis and that Alice makes a bit-announcement is p a /2. If a bit-announcement 
is made on a shot when Bob knows that he and Alice do not have a matching basis, then 
from Bob's point of view, either value of m is equally likely, and therefore either value 
of b is equally likely. 

However, as in any physical system, the way in which the events occur does not always 
match the ideal. These non-ideal events are often characterized as noise and will effect 
whether or not Bob can correctly infer the message bit 6 from Alice's announcements. 
We finish this section with an analysis of how well Bob can infer the value of the message 
bit in the presence of noise. 

Ideally, the probability Pr(m|<7j,pi) of the measurement result m when Bob prepares 
the particle in state pi and Alice makes a measurement corresponding to ai will be one- 
half when Bob and Alice do not have a matching basis and will be either zero or one 
when Bob and Alice do have a matching basis: 

1 = Pr(m = +l|cxi,p+) = Pr(m = — p-) 

= Pr(m = +l|u3,po) = Pr(m = -l|<T3,pi) , 
= Pr(m = -l|<7i,p+) = Pr(m = +l|<n,p_) 

= Pr(ra = -l|cr3,Po) = Pr(m = +l|<73,pi) • 

In other words, a particular outcome is expected when Bob and Alice have a matching 
basis. But (when noise is present) these probabilities will deviate from the ideal values. 
As such, we characterize any events that occur on a shot when Bob and Alice have a 
matching basis, but that are not predicted by these idealized probabilities, as a mismatch. 
For example, if Bob prepared the particle in the state p+ and Alice made the measurement 
corresponding to ai and found the result m = —1, this would be considered a mismatch. 
It is easy to see how such a mismatch might lead Bob to infer the incorrect value for 
the message bit 6, since the result he expected Alice to find was not the result that 
she found. In light of these possible mismatches, it is still possible to quantitatively 
characterize what Bob expects to learn from the use of this protocol. 

To do this, we use the Shannon mutual information I(B : C) between the random 
variable B describing the message bit b and the random variable C describing the com- 
pound events corresponding to the data that Bob acquires on shots where Alice makes 
a bit-announcement. We do not consider the result-announcements in this calculation 
because they have no dependence on the message bit. 

The random variable B describes the possible values of the message bit b, which are 
6 = and 6=1, along with their probabilities, which are assumed to be Pr(6 = 0) = 
Pr(6 = 1) = 1/2. 

The random variable C describes the data that Bob acquires during shots where 
Alice makes a bit-announcement. For each of these shots, Bob records the compound 
event c = (pi,ai,a) which consists of the state pi in which he prepared the particle, the 
operator o\ corresponding to Alice's announced measurement, and the bit-announcement 
a. At the end of N shots, Alice will have made k bit-announcements (with < k < N) 
and Bob will have recorded a string of compound events c = (ci, C2, . . . , Cfc) where the 
event ci occurs during the shot with the first bit-announcement, C2 on the second, and 
so forth. Because of the probabilistic nature of the protocol, the length k of this string 
is not known beforehand. The probability Pr(fc) that Alice makes k bit-announcements 
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can be calculated using the binomial distribution: 

Pr(fc)= fe!(/-fc)! p!:(1 - po)Ar " fc - 

There are sixteen different compound events that can occur on each shot - four possible 
initial states, two possible measurements, and two possible bit-announcements. When 
Alice makes k bit- announcements there are 16 k possible compound-event strings. This 
leads to YLk=o ~ 16 15 ~ X different possible compound-event strings. The random 
variable C describes these strings of possible compound events along with their probabil- 
ities. Because each shot is an independent event, the probability that a particular string 
c = (ci,...,Cfc) occurs is simply the product of the probabilities for each single-shot 
compound event to occur: Pr(c) = n = i Prfe). The probability of one of the individual 
events Pr(pj, a u a) = Pr(a|pi, ai) Pr(pi, a t ) = Pr(a|pi, oi) Pr(pj) Pr(cr ; ) = § Pr(a|pi, a t ) is 
dependent upon the value of b and the value of the measurement result m. From Bob's 
point of view Pr(o|pi, ai) = | [Pr(m = +l\pi, m, b = 0)+Pr(m = —l\pi, cr t ,b = 1)] = 1/2, 
independent of any changes to the state of the particle as it travels to Alice. 

With this explicit description of the random variables B and C, we are now in a 
position to determine the mutual information between them, 

1 

I(B:C) = ^2 Pr(6) ^ Pr(cjfe) log Pr(cjfe) - ^ Pr(c) log Pr(c) 

6=0 c c 

where the sum over c indicates that the summation is made over all possible compound- 
event strings, and where Pr(c|6) is the probability of the compound-event string c given 
a particular value of the message bit b. These can be calculated using Pr(a = 6, pi, oi\b) = 
I Pr(m = +l\ai,pi) and Pr(a / b, p t , ai\b) = § Pr(m = — l|oj, p») along with Pr(c|6) = 
n j= i Pr (cj|6)- Table [2] lists the various outcomes along with the probabilities that show 
up in the mutual information which depend upon the values of Di, D3, Do+, and D+o 
which all fall within the range of zero to one. With the ideal system discussed earlier, 
Di = Dz — and D+o = Do+ = 1/2. While the values of D\ and D3 will likely deviate 
from zero, it should be possible for Bob and Alice to calibrate their equipment properly 
to ensure that D+o = Do+ = 1/2 in the absence of any outside interference with the 
system. If these two values deviate from 1/2 then there is some systematic error with 
their alignment or there is something interacting with the particles in a non-symmetric 
way as they travel from Bob to Alice. Therefore, we assume that it is possible for 
Bob and Alice to improve their apparatus until D+o = Dq+ = 1/2. Furthermore, for 
similar symmetry reasons, we assume that Alice and Bob can "rotate" their systems until 
Di = D3, and we call this value D = Di = D3. In this way, these probabilities can be 
characterized by a single value, D. Moreover, this value of D is simply the probability 
of mismatch. 

Using the assumptions D+q = Do+ — 1/2 and D\ = D3 — D, the probabilities 
Pr(pi, ai, a\b) that are needed to calculate I(B : C) the mutual information are either 
1/16, D/8, or (1 — D)/8. The events corresponding to Pr(pi, ai, a\b) = 1/16 occur when 
Bob and Alice do not have a matching basis. The eight different compound events that 
occur when Alice and Bob have a matching basis can be organized into two mutually 
exclusive sets. We define the set to consist of the following four compound events: 

(p-,ai,a = Q), 0+,CTi,a = l), (pi, 0-3,0 = 0), (p ,ff3,a = l) ; 

we define the set C v to consist of the following four compound events: 

(p_,o-i,a = l), (p+,CTi,a = 0), (pi, 0-3,0 = 1), (p , 0-3, o=0) . 
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Table 2: The probabilities Pr(m|<7/, pi) that Alice's measurement corresponding to 07 results 
in the value m given that Bob prepared the particle in the state pi. Note that Pr(m = 
+l\ai,pi) = 1 - Pr{m=-l\cri,p l ) and Pr(m = +l|crj, p t ) = 1 - Pr(ra = +l|<7;, / - p { ), where / 
is the identity matrix acting on the Hilbert space of the particle. 



Pr(m — 




= 1-D, 


Pr(m = 




= D x 


Pr(m = 


+lki,P-) 


= D 1 


Pr(m = 


-lki,p-) 


= 1-Di 


Pr(m = 


= +l|(Tl,Po) 


= D +0 


Pr(m = 


-l|o-i,Po) 


= 1 - #+0 


Pr(m = 


= +l|(Tl,Pl) 


= 1 - D +0 


Pr(m = 


-l|o"i,pi) 


= £+0 


Pr(m = 


+l|a 3 ,p+) 


= D 0+ 


Pr(m = 


-l|o"3,P+) 


= 1 - Do+ 


Pr(m = 


+l|o"3,P-) 


= l-Do+ 


Pr(m = 


-1 0"3, P-) 


= A)+ 


Pr(m = 


= +l|(T 3 ,p ) 


= D 3 


Pr(m = 


-l|o-3,Po) 


= I-D3 


Pr(m = 


= +l|cr 3 ,pi) 


= I-D3 


Pr(m = 


-1|o"3,Pi) 


= ^3 



If the compound event c is a member of C M then Pr(c|6 = 0) = D/8 and Pr(c|& = 1) = 
(1 — D)/8. If the compound event c' is a member of C„ then Pr(c'|6 = 0) = (1 — -D)/8 
and Pr(c'|6 = l) = D/8. 

We are now prepared to determine the probability Pr(c|6) of a compound-event string 
c given a particular value of b. A compound-event string c can be described by three 
integers: k its length (corresponding to the number of bit-announcements that Alice 
made), x < k the number of shots in which Bob and Alice have a matching basis, and 
y < x the number of compound events that fall within the set C M . For a given number k 
of bit-announcements, there is probability -nrrn (l/2) fc of there being x shots that also 
have a matching basis. For a given x shots that occur out of the k with matching basis, 



there is probability - , 

L y'.x — y 

is straightforward to show that 



1 D y (l - D) x - y that y of the x shots will fall within set C„. It 



can be written as 



y~] Pr(c(fc, x, y)\b) log Pr(c(fc, x, y)\b) 

Pr(c(fc, x, y)\b)\ log fj2 Pr(c(fc, x, y)\b) 



b=0 



b=o 



I(B:C) = 

N k x 

\ E E srbi (5) " E ^ (1 " Dr *) log - 

+ (V-^l - log^-^l - £>)") 
- (Z> M (1 - Df- y + ^-"(l - £>)") log^l - Df~ y + D x - y (l - D) y ) , 

which only depends upon D, p a and N. This never becomes one because Pr(fc = 0) is 
always finite. That is, the probability that Alice does not make a bit-announcement after 
N shots is never nonzero. Therefore the message will be noisy. It is a question of how 
much noise Bob and Alice can tolerate that goes into their choice of p a and N. Assuming 
that D is a fixed value which will be dictated by the apparatus that Alice and Bob are 
using, for every value of I(B : C) < 1 there is a family of p a , N pairs that lead to that 
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particular value of I(B : C). As p a decreases, the value of N increases to establish the 
same value of mutual information I(B:C). While increasing N means that the protocol 
will take longer to complete, the effect of decreasing p a while increasing N also has the 
effect of drastically increasing the number of result-announcements that Alice is expected 
to make, each of which provides Bob with another piece of data regarding how the state 
of the particle is changing as it travels from him to Alice. The choice of p a and N is 
therefore a trade-off between increased speed of communication (smaller N) and more 
data about the quantum channel (smaller p a ) once the desired value of I(B : C) has been 
chosen. 

In the next section we discuss the ability of an eavesdropper to also obtain infor- 
mation about the message bit b from Alice's bit-announcements, and the ability of Bob 
to detect the presence of any such eavesdropping activities through the use of Alice's 
result-announcements . 

3 The effectiveness and the effects of eavesdrop- 
ping 

The goal of this section is twofold: First, to demonstrate what an eavesdropper can 
learn about the message bit 6 while this protocol is being carried out by Bob and Alice. 
Second, to show how Bob can place a bound on what an eavesdropper may have learned 
after the N shots by using the data he received from Alice's result-announcements. To 
begin, we shall examine what an eavesdropper can learn if she is only listening to Alice's 
announcements and not interfering with any of the particles as they travel from Bob to 
Alice. 

It is important to emphasize that the eavesdropper, named Eve, does not have access 
to Bob's knowledge of the particular state in which he prepares each particle. Therefore, 
when we use the mutual information to quantify what Eve learns over the course of 
Alice's k bit-announcements, we must introduce a new random variable E that describes 
the compound events corresponding to Eve's data on shots when Alice makes a bit- 
announcement. The mutual information can be written as 

I(B : E) = J2 Pr ( e l 6 ) lo § Pr ( e l b ) - Pr ( e ) lo § Pr ( e )) 

where the sum over e indicates that the summation is made over all possible compound- 
event strings, and where Pr(e|6) is the probability of the compound-event string e given 
a particular value of the message bit b. 

When Eve is only listening to Alice's announcements, on each shot corresponding to 
a bit-announcement she records the compound event e = (cr; , a) which consists of the 
measurement type 01 and the bit-announcement a. There are four possible compound 
events on each shot. Each of these four events is equally likely from Eve's point of view. 
This last statement depends upon Eve's calculation of Pr(m|cn), which is the probability 
that Alice has found the outcome m given that her measurement corresponded to the 
operator 01. Since Eve does not know the state in which Bob prepared the particle, 
it is equally likely to be in each of the four possible initial states. Eve must calculate 
Pr(m|ffi) using Pr(m|a ; ) = \ (Pr(m|ffi, po) +Pr(m|fX;, pi) +Pr(m\ai, p+) +Pr(m\ai, p_)) , 
where Pr(m|cn,p;) is the probability that Alice's measurement result is m given that her 
measurement corresponds to 07 and that Bob prepared the particle in the state pi. This 
results in Pr(a;,a) = 1/4 for each of the four possible compound events. The ran- 
dom variable E describes the strings e = (ei, e2, . . . , e*,) of k compound events for Eve, 
where ej is the compound event occurring on the jth shot that Alice has made a bit- 
announcement and where < k < N is the number of bit-announcements made by 



6 



Alice. The probability Pr(e) of the string e = (ei, e2, . . . , e*,) of compound events is the 
product of the probabilities for each individual compound event: Pr(e) = 11^=1 P r ( e j) 
and Pr(e|6) = Ylj=i Pr(ej 1 6) . When determining the value of Pr(e|b), once again Eve 
must account for the fact that she does not know the state in which Bob prepared the 
particle. After taking the weighted sum over all possible initial states it is straightfor- 
ward to show that Pr(e|i>) is independent of the value of b for each of the four possible 
compound events e. Therefore, Pr(e|fc) is independent of the value of b for every string 
of compound events e. From this, it is clear that I(B : E) = 0. Therefore, in order for 
Eve to learn anything about the message bit b she must interact with the particles as 
they travel from Bob to Alice. 

Eve has a choice of how she can interact with the particle. She can apply a quantum 
operation to change the state of the particle as it travels from Bob to Alice, she can make 
a measurement (generally, a POVM) on the particle and then allow it to continue on its 
journey to Alice, or she can make the particle interact with an auxiliary "probe" system 
and wait for Alice to announce which measurement was made (corresponding to a\ or 03) 
before Eve makes a measurement of her own (generally, a POVM) on the probe system. 
Any of these options, provided that it acts non-trivially, will change the correlations 
between the state in which Bob prepared the particle and the measurement result that 
Alice finds. This change in the correlations will be made apparent to Bob through the 
result-announcements. Therefore, it is Eve's goal to choose the interaction that improves 
her knowledge about the message bit 6 the most (of any possible interaction) for a fixed 
disturbance to the statistics of Alice's measurement results. 

The lengthy calculation that determines which interaction accomplishes this goal for 
Eve is demonstrated in the Appendix. It is based upon earlier work by Fuchs, Gisin, Niu, 
and Peres[T] and utilizes an interaction with a probe system followed by a measurement. 
Here we simply describe this interaction and evaluate its trade-off between Eve's expected 
gain in knowledge, measured by the mutual information, and the disturbance she causes, 
measured by the probability of a mismatch. 

The eavesdropping technique that optimizes what Eve learns for a fixed amount of 
disturbance is the following: Eve prepares a probe system in some initial state \ip). 
As the particle is traveling from Bob to Alice, Eve ensures that the particle interacts 
with her probe system. This interaction is described by the unitary operator U. If Eve 
initially describes the state of the particle as pi, then after this interaction the state 
of the combined system, particle plus probe, is described by her as U(pi ® \tp){ip\)W . 
(This interaction generally forms an entangled state between the probe system and the 
particle.) Eve then allows the particle to continue on its path to reach Alice, where it will 
be measured. After Eve learns which measurement is used by Alice, Eve performs one of 
two measurements of her own on the probe system, depending upon which measurement 
Alice performed. 

In order that she does not induce any noise that could be considered by Bob and Alice 
to be caused by some systematic error, Eve sets up her probe system and interaction 
U so that each of the four possible initial states pi (with i = 0, 1,+,—) evolves into 
the state p\ = (1 — 2d)pi + dl, where I is the identity operator for the Hilbert space 
describing the particle's subsystem. That is, if Eve knew that the initial state of the 
particle is pi, then she would describe the state of the particle, as it reached Alice, as 
pi = Tt2(U(p ® \ip)(ip\)U^), where TV2 indicates that the partial trace is taken over the 
degrees of freedom of the probe subsystem. It is straightforward to show that when the 
state of the particle is described as p\ = (1 — 2d)pi + dl and when Bob and Alice have a 
matching basis then the probability of Alice's measurement to result in a mismatch is d. 
In this way, Eve chooses \ip) and U so that the parameter d characterizes the amount of 
"noise" she introduces into the system. 

This type of interaction is effective because the state of the combined particle plus 
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probe system will change when Alice makes a measurement. That is to say that if 
Eve knows that Bob prepares the particle in the state pi and that Alice's measurement 
outcome corresponds to the operator |/}(/| (where / = 0,1,+,—), then Eve describes 
the state of the probe system after the measurement as 

Tn ((l/X/l ®I P )U(p t ®\iP)(M)U\\f)(f\®I v )) , 

where Tri indicates taking the partial trace over the degrees of freedom of the particle 
subsystem, and where I p is the identity operator acting on the Hilbert space of the probe 
system. If we then specify a particular measurement that Eve performs on the probe 
system (by explicitly stating the POVM measurement operators), then the probabilities 
of Eve's possible measurement outcomes are easily calculable. 

As we described earlier, the optimal eavesdropping technique requires Eve to make 
two different measurements. If Alice makes the measurement corresponding to o\ then 
Eve makes the measurement {Ei, E2, E3, E4,}, which has four outcomes that we describe 
by using its POVM operators. If Alice makes the measurement corresponding to 03 
then Eve makes the measurement {Fi, F2, F3, F4}. The specific form of U, and the 
POVM operators E\, . . . E4, and Fi, . . . , F4 are found in the Appendix. 

We use the mutual information between random variables B and E[d] to describe 
what Eve learns by employing this eavesdropping technique, where d parameterizes the 
strength of Eve's interaction and < d < 1/2. We need to include the possible outcomes 
of Eve's measurement within the compound events that are described in the random 
variable E[d]. In this way, on each shot the compound event e = (<Ji,a,p,) consists of 
Eve's measurement result p, as well as ai the type of measurement announced by Alice, 
and a the bit-announcement. Eve's measurement result p will be Ei, E2, E3, or £4 when 
Alice announces <ti or Fi, F2, F3, or Fi when Alice announces 03. There are sixteen 
possible compound events which can occur for Eve on every shot corresponding to a 
bit-announcement. The probability for each string e = (ei, e2, . . . , e^) is the product of 
the probabilities from each of the shots that compose that string — that is, Pr(e) = 

n U Pr fe) and Pr ( e i fe ) = n U Pr fei & )- 

These sixteen events can be grouped into four different sets, with each compound 
event in the set occurring with the same probability given each of the two possible values 
of the message bit b. Let 5i indicate the set of all the compound events on the top line 
of Table [3] 5a to indicate the set of all the events on the second line of Table O and so 
forth. When the event e a is in the set 5i and the event ep is in the set 52 then 

Pr(e tt |6 = 0) =Pr(c fl |6=l) = ^-y^ (l - 2y/d(l - d)) = pi , 
Pr(e„|6=l) =Pr( e/3 |6 = 0) = (l + 2^(1 - d)) = P2 ■ 

When the event e 7 is in the set 53 and the event eg is in the set 54 then 

Pr(e 7 |6 = 0) =Pr(ej|6=l) = ^ (l - 2y/d{l - d)) = Vz , 

Pr(e 7 |6=l) =Pr(e 4 |6 = 0) = | (l + 2 ^/d(l - d)) = p 2 ■ 

The derivation of these probabilities can be found in the Appendix. 

When determining the probability of a string of events e, it is sufficient to determine 
how many events occur in each of these categories 5i, . . . , 54. If the string e(ki, k2,ks, ki) 
contains ki events from each set Si, then the probability of that string of events to occur, 
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Table 3: The sixteen compound events which correspond to Alice's measurement type, Al- 
ice's bit- announcement, and a measurement result by Eve. For events on the same line, the 
probability for each event to occur, for a given value of b, is the same. 



Si: 


Ol; 


a 


= 0,£i), 


Ol; 


a = 




03,a: 


= 0,Fi), 


(0-3, 


a=l,F 2 ) 


S 2 : 


Ol; 


a 


= 0,E 2 ), 


Ol; 


a = 


l,^i), 


03,« 


= 0,F 2 ), 


(0-3, 


a = l,F x ) 


S 3 : 


Ol; 


a 


= 0,E 3 ), 


Ol; 


a = 


1,^4), 


03,« 


= 0,F 3 ), 


(0-3, 


a=l,F 4 ) 


S 4 : 


Ol; 


a 


= 0,E 4 ), 


Ol; 


a = 


i,£ 3 ), 


03,« 


= 0,F 4 ), 


(0-3, 


a=l,F 3 ) 



given the two possible values of 6, is 

Pr(e(fc 1 ,fc 2 ,fc 3 ,fc 4 )|& = 0) = p^p^p^pf 
Pr(e(*i,* a ,*s,fc4)|l>=l) = Pfp' 1 ^ 3 . 

Given Eve's prior uncertainty about the value of b, the probability for a given string 
e(fa, k 2 ,k 3 , fc 4 ) is found to be 

Pr(e(fc 1 ,fc 2 ,fc 3 ,fc4)) = jjp^ft^ +pJ 2 P 2 fcl P3 fc4 P4 3 ) • 
We can now calculate the mutual information 

I(B : E[d]) = E U E Pr 0l&) lo S Pr 0l & ) - Pr ( e ) lo S Pr 0) 

e \ 6=0 



Let us define the mutual information It(B : E[d]) to correspond to the situation when 
Alice makes exactly k bit-announcements. This can be written as 

k — k\ — &2 k — k± k . 

k\ 



h(B:E[d])= E E E 



kilk 2 lk 3 \ki\ 

fc 3 =0 k 2 =0k 1= 



- [Pr (e(fei, k 2 , k 3 , fct) \b= 0) log Pr (e(fei, k 2 , k 3 , fc 4 ) \b= 0) 
+ Pr(e(fci, k 2 , k 3 , fe 4 )|6=l) log Pr(e(fci, k 2 , k 3 , fc 4 )|6 = l)] 
- Pr(e(fci, k 2 , k 3 , fc 4 )) log Pr(e(fci, k 2 ,k 3 , fc 4 )) 



where fc 4 = k — ki — k 2 — k 3 . The factor of 

fc! 



k\\k 2 \k 3 \k4,\ 



is the number of different strings that share the same values of the fci's. Due to the 
probabilistic nature of this process, Eve does not know the number of bit-announcements 
that will be made. We have plotted in Figure[T]the mutual information versus disturbance 
when k is 1, 3, 5, or 7. It is easily seen that making more bit-announcements allows Eve 
to learn more for a fixed amount of disturbance, which is characterized by the parameter 
d. The mutual information that is expected, given Eve's prior uncertainty for the number 
of bit-announcements k, can be taken account of by the weighted sum 



I{B:E[d]) =J2^(k)I k (B:E[d]) 
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This completes the analysis for determining what Eve expects to learn and the amount 
of noise she induces, measured by the probability of a mismatch, by employing the 
optimal eavesdropping techniques. Next, we will show how Bob can place a bound on 
the amount of information an eavesdropper can be expected to know based upon Alice's 
result-announcements. 




Figure 1: Mutual information as a function of distubance D, describing the amount an eaves- 
dropper learns about the message bit given that Alice made k bit-announcements. 

Within the quantum cryptography literature, it is customary to attribute any noise 
to an eavesdropper's activities. In keeping with this tradition, we will assume that any 
mismatches are due to Eve's activity, characterized by d, and not due to any mismatches 
that may be due to the apparatus that Alice and Bob are using, which we characterized 
by the value of D earlier. 

During the transmission of the message, Bob will have a string of data describing 
the initial state in which he prepared N particles. He will also have the data from 
Alice's k bit-announcements and from Alice's N — k result-announcements. If he detects 
r mismatches (0 < r < N — k) during the result-announcements, then the experimental 
mean value of d is d = r/(N — k). If the statistics that he collects are sufficient so 
that the central limit theorem applies, then Bob can calculate the standard deviation 
a = y/r(N — k — r)/(N — k). Then he can state that with about a 95% probability that 
any eavesdroppers present had obtained an equal or lesser knowledge of the message bit 
than any eavesdroppers using the ideal eavesdropping technique with a value of d that 
was less than d 2a = d + 2a = d/(N - k) + 2 s /d(N -k- d)/(N - k). And for every value 
of d, he can calculate Ik(B : E[d]). So he knows, with a 2a confidence level, that any 
eavesdroppers know less than Ik{B : E[d2a\) about the message bit. If more confidence 
is necessary, Bob can simply go out to the appropriate number of standard deviations 
and make stronger statements. 

Alternatively, a Bayesian statistical analysis could be used to employ all the data 
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that Bob has available to him. Broadly speaking, this would be used to calculate 

the probability that an eavesdropper is actively working at the level d given all the 
data at hand, for every d. Then, for example, Bob could determine the value of d such 

that J d Pr(_E[d]|data)dci = 0.95 in order to say that there is a probability of 95% that 
any eavesdropper's knowledge of b is less than Ik(B : E[d]). (This is just an example 
of one type of statement that Bob could make when he knows Pr(.E[d]|data) for every 
< d < 1/2.) An example of a piece of data that is not included in the simpler 
calculation is the probability of a mismatch caused by Bob's state preparation device 
and Alice's measurement device, which are assumed to be outside the influence of any 
eavesdroppers. Another benefit of using this type of analysis would be its application to 
situations where there is not a sufficient amount of data for the central limit theorem to 
apply. While we feel that this type of analysis will ultimately prove to be more effective 
than the simpler (but more established) techniques discussed earlier, we also feel that a 
detailed technical discussion of this type of Bayesian analysis would be more appropriate 
elsewhere. 

4 Discussion 

There are great similarities between the protocol introduced here, whose goal is to trans- 
fer a message to a privileged receiver while giving that receiver the opportunity to deter- 
mine if that message has been exposed to any eavesdroppers during its transmission, and 
the BB84 quantum key distribution (QKD) protocol whose goal is to generate a private 
string of bits which is shared between two parties. Indeed, the state preparation and 
measurements, along with their probabilities, are identical. The two protocols deviate 
when it comes to the public announcements made by Alice. (Actually, most descriptions 
of the BB84 protocol have Alice preparing the particles and sending them to Bob to be 
measured. Here we have done the opposite to ensure that the message goes from Alice 
to Bob, which is common practice in the cryptography literature. Since BB84 can be 
accomplished equally well either way, we have reversed the roles of Alice and Bob for 
our description of BB84.) The public announcements phase of the BB84 protocol has 
three steps: Alice announces her measurement type (either ai or (73), a number of an- 
nouncements are made by both Alice and Bob to correct for errors, and then a number 
of announcements are made by both Alice and Bob to accomplish privacy amplification 
which makes their shared string of bits shorter but ensures that no eavesdroppers will 
know more than a negligible amount about their new shorter shared string of bits. These 
last two steps, which require a great deal of public communication, are replaced by the 
bit-announcements and result-announcements by Alice. 

The private string of zeroes and ones that results from any QKD protocol is com- 
monly referred to as a key, which can then be used for cryptographic tasks such as 
communicating secrets over a public communication channel or message authentication. 
We refer to this type of key, the string of zeroes and ones, as a concrete key. However, 
we shall take a more general view of keys. Following Shannon, we abstractly refer to 
a key as a mapping from the set of possible messages to the set of possible encrypted 
messages (cryptograms). For the protocol introduced here, we can view the two possible 
values of Alice's message bit as the set of possible messages and her many possible public 
announcements as the set of possible cryptograms. Furthermore, we can view the string 
of initial states that Bob prepares as his key. Bob utilizes his knowledge of this string to 
decode the cryptogram and determine the value of the message bit. Where this process 
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differs greatly than those considered by Shannon 2 is that the mapping that Bob's uses 
to determine the value of the message bit is probabilistic rather than deterministic. Each 
of the two values of the message bit will have a non-zero probability for any given string 
of particles that Bob prepared and any given string of announcements by Alice, provided 
that there is noise in the system. 

When viewed in this way, by use of this more abstract notion of a key, the protocol 
introduced here can be thought of as the generation and use of a key — on shots where 
bit-announcements occur — while simultaneously checking the channel for noise which 
would be the hallmark of any eavesdropping activity. Any protocol that includes these 
two factors would accomplish the same goal of being able to send a message while deter- 
mining if that message had been exposed to any eavesdroppers. What is accomplished is 
similar to the goals of tamper-indicating seals [3] which are attached to physical packages. 
These tamper-indicating seals do not prevent anyone from opening the package, but they 
indicate whether or not they have been opened previously. However, an advantage of the 
tamper-indicating seals that is not present with the protocol introduced here is that an 
effective tamper-indicating seal can be utilized by anyone who is opening the package, 
while here there is only a single privileged receiver who can check for eavesdroppers. (To 
avoid confusion, it should be noted that there is another quantum cryptographic task 
that can be found in the literature under the name of a quantum seaZ. [4] [5] [6] [TJ E] The 
task introduced here is quite distinct from the quantum seal protocols that have been 
introduced, both in its goal and in its execution. See [9] for further comments.) 

There have been a number of papers written on the topic of quantum secure direct 
communication (QSDC)[1UI 1111 1121 1131 114] , A careful reading of the literature seems 
to indicate that various authors who have written papers on this subject have assigned 
different meaning to the use of this term. (To exacerbate the issue, there are similar 
references that refer to an activity described as quantum direct communication(QDC) [T5] 
which seems to fall within the same general category as these others.) It is worthwhile 
commenting on the similarity of the protocol introduced here to all those protocols 
introduced under the heading of QSDC (or QDC) because of their similarity, both in 
the sense that they claim to be a quantum cryptographic task which differs from QKD 
and that they purport to transmit a message from one person to another. The great 
difference arises from the fact that anyone who uses the protocol introduced here is 
willingly allowing an eavesdropper to intercept and read the transmitted message, at 
the peril of her eavesdropping activity being found out. This is quite different from the 
cryptographic goals described in the QSDC literature - most of the QSDC protocols 
purport to allow a message to be sent without the use of a private key shared between 
the two communicators and without any risk of an eavesdropper learning anything about 
the message. 

A possible advantage that may result in the use of the protocol introduced here is 
the reuse of concrete keys. Say that a concrete key is privately shared between Alice 
and Bob. Alice can encode a message using the concrete key and use the protocol 
introduced here to communicate that encrypted message to Bob. When Bob receives the 
encrypted message he can decode it using their concrete key, but he can also determine 
if there have been any eavesdroppers trying to determine the encrypted message. If he 
knows, to a high confidence level, that there have been no eavesdroppers active during 
Alice's transmission then he and Alice can have confidence to reuse their concrete key. 
Or perhaps they may utilize a privacy amplification scheme to ensure that a smaller 
concrete key can be used to send future secret messages. While there has not yet been 
any mathematical confirmation that this type of activity would be effective, we feel that 
it is worth careful investigation. 

A possible improvement of the protocol introduced here would be to include the use 
of an error correcting code by Bob and Alice to ensure that their noisy messages are 
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transmitted accurately. However, a new type of analysis must be undertaken, similar to 
the way that Slutsky et al 16 examined a more general class of eavesdropping activities 
than Fuchs et aZ[I] when they examined how the error-correcting stage of the BB84 
protocol effected an eavesdropper's advantages. 

In summary, we have introduced a quantum cryptographic protocol that makes it 
possible to send a message to a privileged receiver so that receiver can detect the extent 
of which any eavesdroppers had access to that message during the course of its trans- 
mission. We proved its effectiveness against all eavesdropping activities and discussed 
its relationship to other cryptographic tasks. 
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A.l Plan for this section 

In this Appendix we determine the optimal eavesdropping technique for the eavesdrop- 
per, Eve. This technique maximizes what she expects to learn, measured by the mutual 
information, for a given disturbance she causes, quantified by the probability of a mis- 
match. (As was discussed earlier, a mismatch occurs on a shot when Bob and Alice have 
a matching basis, but where Alice's measurement result is opposite to the one that Bob 
expected based upon his knowledge of the state in which he prepared the particle.) Our 
analysis relies heavily upon work done by Fuchs, Gisin, Griffiths, Niu, and Peres[T] in 
which they studied certain classes of attacks on the BB84 protocol. 

Their analysis focuses on the best eavesdropping activity when the eavesdropper acts 
on each particle individually, as opposed to the eavesdropper using some "large" probe 
system that interacts with all the particles from N shots before making a measurement 
of the probe. Those that are studied by Fuchs et al are referred to as individual attacks, 
as opposed to more general types of attacks which are referred to as collective attacks [16] 
and joint attacks 16 . While later analvses[16| of eavesdropping on BB84 considered these 
more general types of eavesdropping activities, this is not necessary in our case. The 
reason for this is because in BB84 an eavesdropper can infer certain global properties 
of Alice and Bob's shared string of bits from the announcements that are made during 
the error correction phase of that protocol, but here there are no such error correction 
announcements. Therefore, neither a collective attack nor a joint attack will provide any 
benefit to an eavesdropper because the protocol does not divulge any further data that 
an eavesdropper could use to inform her decision as to which specific activity, from within 
these two classes of the more general types of attacks, she would undertake. Therefore, 
our analysis, which will parallel the analysis by Fuchs et al and only focus on activities in 
which the eavesdropper interacts with each particle individually, encompasses the most 
general type of eavesdropping activities that we need to consider. 

But we cannot simply apply the Fuchs et al results directly to our situation because 
the details of BB84 are distinct from ours in one critical aspect. In BB84, if on a 
particular shot Bob and Alice do not have a matching basis, then they will not make 
use of that measurement result as a bit for their key. In the protocol introduced here, 
it is possible that Bob and Alice do not have a matching basis on a particular shot, but 
Eve can still use Alice's announcement from that shot to determine the message bit. 
Fortunately, we can utilize many of their results to determine the eavesdropping activity 
that results in the most information gained by the eavesdropper for a fixed amount of 
disturbance. 

We summarize the methods employed by Fuchs et al because our present analysis 
depends upon a number of specific points within their analysis. Instead of simply listing 
these specific points, we shall follow the logic used by Fuchs et al to reach these points. 
Furthermore, once these points are in hand, the analysis for our new protocol can be 
accomplished quickly and clearly. 
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A. 2 Summary of the Fuchs et al optimization 

The eavesdropping activities considered by Fuchs et al are based upon the concept of 
an eavesdropping probe system which was discussed earlier. As the particle, described 
by state pi, travels from Bob to Alice, Eve ensures that it interacts with a probe system 
she had prepared in the state \tp). The state of the combined system evolves unitarily 
and then the original particle travels to Alice while the probe system stays under the 
control of Eve. If Alice announces that her measurement corresponds to o\ then Eve 
will make a (POVM) measurement described by the operators {E\, E2, -E3, £4}, and if 
Alice announces that her measurement corresponds to 0-3 then Eve will make a different 
(POVM) measurement described by the operators {F\, F2, F3, 

The analysis performed by Fuchs et al was to find a bound on the the mutual informa- 
tion, describing what Eve expects to learn, for a fixed probability of a mismatch induced 
by her action. We use the symbol di ((I3) to indicate the probability of a mismatch if 
Alice's measurement corresponds to o\ (0-3, respectively). We use the symbol X\ (I3) 
to describe the what Eve learns — quantified using the mutual information between the 
random variable describing both possible bit values and the random variable describing 
all outcomes of possible "probe and measurement" procedures — when Bob and Alice 
have a matching basis. (Recall that in the BB84 protocol, Alice and Bob only use the 
data resulting from shots when they have a matching basis.) Fuchs et al showed, by the 
application of a number of inequalities, that the relations 



describe the best an eavesdropper can do in terms of a trade-off between information 
learned and disturbance caused. They then show that their proof allows for an eaves- 
dropping activity that maximizes both of these inequalities simultaneously (so that the 
< is replaced by =). 

For the second part of their analysis, they demonstrate a particular type of probe- 
and-measurement activity that saturates these bounds just discussed. They call this 
probe "symmetric" because, among other things, X\ — I3 and di = d$. (We shall discuss 
the other criteria that make it "symmetric" shortly.) Within the BB84 protocol, half 
the time Alice's measurement corresponds to <ti and half the time it corresponds to (73 
(while "throwing out" the shots where Alice and Bob do not have a matching basis), so 
the expected mutual information is T — \^L\ + I3) and the expected probability of a 
mismatch is d = ^{di + (fe). In this case, Equation [3] can be rewritten in terms of T and 
d: 



The ansatz outlined by Fuchs et al works as follows: First, the particle, described 
by state \i) (with i = 0, 1, +, — ), interacts with a probe system prepared in some initial 
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state \tp). The combined system, described by the state \i) <g> |V>), evolves unitarily in the 
following way: 



|0)®|V>> Vl - d|0) (8) |xoo> + v^l) ® |xoi) 

Vd\0) <g> |xio> + Vl - d|l> <g> |xii) • 

Such a unitary operator J7 exists if and only if (xoolxio) = and (xoi|xn) — 0. This type 
of interaction was chosen so that pi = \i){i\ (for i = 0, 1) evolves into p' { = (1 — 2d)pi + d/ 
after we trace over the degrees of freedom of the probe system. In order for this to occur, 
it also requires that (xoolxoi) = and (xio|xn) = 0. 

Fuchs et al also desire for U to act in a similar way on the initial states p+ and p_ : 

|+>®|V> VT=d\+)®\x++) + ^d\-)®\x+-) 

|->®|V> Vd|+> ® |x-+> + \/T r d|-> ® Ix— > • 

The unitarity of U requires (x++|x — h) = and (xh — |X--) = 0. In order for pi to evolve 
into p'f = (1 — 2d)pi + d/, for i = +, — (after we trace over the degrees of freedom of 
the probe system), it is necessary that (x++Ixh — ) = and (x- + lx — ) = 0. The linear 
relationships between |0), |1), |+), and |— } allow us to write 



lx++) 



= \ [lxoo> + Ixn) + \J YZTd fl X01 ) + I* 10 ))] 



IX+-) = ^-^(Ixoo) - Ixn)) + Ixoi) - Ixio)] 

' X_+ ^ = \ [\/^T^(l X00 ^ ~ ' Xl1 ^ ~ (! X()1 ^ ~ ' Xl0 ^] 

IX— ) = \ [iXoo) + Ixn) - \J YZ^Oxoi) + |xio))] • 

From these linear relationships, and the earlier requirements on the orthogonalities be- 
tween the various \xij) probe states, it is easy to show that (xoo|xn) = (xn|xoo) and 
(Xoilxio) = (Xiolxoi), and that 

d = l-(xoolxn) (6) 

1 - (Xoolxn) + (Xoilxio) 

Fuchs et al argue that these restrictions on the evolution of the combined system 
(particle plus probe) we have just described are not a hindrance to their task of deter- 
mining the optimal eavesdropping activities. Their reasoning for this is nicely discussed 
in Appendix B of their manuscript, but can be summarized by saying that for every "non- 
symmetric" activity — one for which the requirements that (i) di — ds, (ii) T3 =Ii, and 
(iii) pi evolves into (1 — 2d)pi + di for all i = 0,1, +, — , are not all satisfied — there ex- 
ists some symmetric activity (where requirements (i)-(iii) are satisfied) that achieves an 
equal amount of mutual information while causing the same probability for a mismatch. 

Once the symmetric evolution has been described, and it has been established that 
the optimal eavesdropping activity can fall within this form, Fuchs et al go on to explain 
how this type of evolution can lead to the eavesdropper determining the value of the key 
bit. In their BB84 analysis, the key bit has value if Bob prepares the particle in the 
state po or p+ and the key bit has value 1 if Bob prepares the particle in the state p\ or 
P— 

Let us assume, as Fuchs et al have done, that Bob prepares the particle in the state 
po and Alice makes the measurement corresponding to (73. It is easy to see that Alice has 
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probability (1— d) to find the result m — +1 and probability d to finds the result m = — 1. 
If Bob prepares the particle in the state po and Alice finds the result m = +1 then the 
resulting state of the probe will be |xoo) after tracing over the degrees of freedom of the 
particle. And if Alice finds the result m = — 1 then the resulting state of the probe will 
be |xoi}- This means that Eve's best description of the state of the probe is 

r = (1 - Olxoo)(xoo| + d\xoi){xoi\ 

if she knows that Bob prepared the state |0) and Alice's measurement corresponded to 
03 . By similar reasoning, if Eve knows that Bob prepared the state pi and Alice made 
the same type of measurement then Eve's best description of the state of the probe is 

Ti = d|xio)(xio| + (1 - d)|xu)<Xii| • 

The problem of determining the state in which Bob prepared the particle then becomes 
a problem of distinguishing between the two mixed states To and Ti. 

In other words, on every shot in which Alice's measurement corresponds to 03 and 
she and Bob have a matching basis, there is a one-half probability that the state of the 
probe is To and a one-half probability that the state of the probe is Fi. If Eve can 
determine which state the probe is in then she knows which state Bob prepared. 

A great deal of work has been done on distinguishing between quantum states. [17] but 
how to optimally distinguish between two mixed states is still an open question. However, 
Fuchs et al have found a procedure which is optimal for distinguishing between the states 
To and Ti when there is an equal chance that the system is in either state. The reason 
why we know that they have found the optimal procedure for distinguishing between Tq 
and Fi is the following: The mutual information that describes how much Eve learns 
about which state Bob prepared is equal to the mutual information that describes Eve's 
ability to distinguish To from Fi . The procedure they have found (which we will describe 
shortly) allows them to maximize the inequality which we have re-written in Equation 
(J5J . If there were some other procedure that allowed Eve to better distinguish between 
To and Ti , this would increase the mutual information without effecting the disturbance 
caused, which would violate the inequality in Equation ([5]). Therefore, the procedure 
that Fuchs et al found for distinguishing between To and Ti, when both have equal 
probability, is optimal. 

We now shall explain the procedure that Fuchs et al have devised to optimally dis- 
tinguish between the equiprobable mixed states Fo and Fi. Our description of their 
procedure differs from theirs, but the procedure itself is equivalent. 

Let us define a four-dimensional orthonormal basis for the state of the probe particle, 
{|*7o)> \r)i), \tp), |f?3}} with (rn\r]j) = Sij. (Where = 1 when i = j and 8^ = when 
i 7^ j.) Take the \Xij)' s to be defined as follows: 

Ixoo) = \vo) 

Ixoi) = 

|Xio) = (l-2d)|»7i> + 2Vd(l-d)|»73> 

|Xii) = (l-2d)fo)> + 2^d(l-d)\r, 2 ) . 

Furthermore, we introduce the angle 7 so that cos 7 = ([1 + 2 x /d(l-d)]/2) 1/2 and 
sin7 = ([1 — 2\/d(l — d)]/2) 1 ^ 2 . Eve performs a measurement (POVM) on the probe 
particle that is described by the operators {Ei, E2, -E3, E4}, where Ei = |e;)(£i| for 



17 



Table 4: The probability of a particular measurement outcome for Eve, described by Ei, 
given that the state of the probe is Tj. Also, sin 2 7 = |[1 — 2^/d(l — d)] and cos 2 7 = 

i[l + 2Vd(l-d)]. 



r ri 



Si : 


(1 


— d) cos 2 7 


(1 


— d) sin 2 7 


E2 '■ 


(1 


— d) sin 2 7 
dcos 2 7 


(1 


— d) cos 2 7 
d sin 2 7 


E3 : 






£4 : 




d sin 2 7 




d cos 2 7 



i = 1,2, 3, 4, and where the [&j)'s form a different orthonormal basis, 

|ei> = COS7I7/1} - sin7|f? 3 ) 

|e 2 > = sin7|r7i) + cos7j77 3 ) 

[£3) = COS7I772) — sin7|774) 

\E4) = sin 7I772) + cos 7^4) • 

Recall that it is Eve's goal to determine whether the probe particle is in the state 
To = (1 — gQ!xoo)(xoo| +rf|xoi)(xoi|, which would indicate that Bob prepared his particle 
in the state |0), or whether the probe is in the state I\ = (1 — d)|xn)(Xn| + ^lxio)(Xio| 
which would indicate that Bob had prepared his particle in the state 1 1} . For this purpose, 
it is necessary to calculate Pr(Tj\Ei), which is the probability that the probe particle was 
in the state Tj (with j = 0, 1) given that her measurement result corresponded to Ei (with 
i — 1,2,3,4). Since both states, To and Ti, were equiprobable before the measurement, 
a simple application of Bayes' rule shows that Pr(F j\Ei) = ^Pi(Ei\Tj)/Pi(Ei), where 
Pr(Ei\Tj) is the probability of a particular measurement outcome for Eve, described 
by Ei (i = 1,2,3,4), given that the state of the probe is Tj (j — 0, 1), and Pr(Ei) = 
i[Pr(_Ei|Fo) + Pr(-Ei|ri)]. These probabilities are easily calculable and are summarized 
in Table H 

From these results we can determine what Eve learns by employing this type of eaves- 
dropping activity, which is quantified by the mutual information between the random 
variable describing the two possible states po an d pi, each with probability 1/2 and ran- 
dom variable describing the possible measurement outcomes by Eve, {Ei, E2, E3, E4,} ■ 
It is found to be 

Tz = U [l + 2x/d(l + d)] log [l + 2y/d{l + d)] 

+ [l - 2y/d(l + d)] log [l - 2^(1 + d)] ^ , 

which saturates the bound in Equation (Recall that in this symmetric case di = d.) 

The description of this procedure for distinguishing Fo from Ti was focused on the 
case when Alice announces that her measurement corresponded to 03. An analogous 
procedure can be followed to distinguish the mixed state 

r+ = (1 - d)|x++)(x++l + d| x+ -)(x+-l 

from 

r_ = d|x-+>(x-+l + (i-d)lx— >(x— I 
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which are the resulting states of the probe when Alice's measurement corresponds to ai 
and when she and Bob have a matching basis. It can be shown that such a procedure 
results in 

li = i ([1 + 2y/d(l + d)] log[l + 2 + d)] 

+ [1 - 2s/d{l + d)] log[l - 2v/d(l + d)]J , 

which saturates the bound in Equation (J3j . Because the two types of measurement that 
Alice performs occur with equal probability, it is easy to see that X — |(2Ti so 
that the inequality shown in Equation © is saturated. This completes our description 
of the optimal method Fuchs et al found to eavesdrop on the non-error-corrected string 
of key bits which result from the BB84 process. We will rely upon this analysis and their 
results extensively to demonstrate the optimal bound for eavesdropping on the protocol 
introduced here. 



A. 3 Optimal eavesdropping activity for this current proto- 
col 

Our discussion of the optimal activity of an eavesdropper shall begin with a short re- 
minder of the goal of the eavesdropper. Since, on every shot that a bit-announcement is 
made, there will be an announced bit a which depends upon the measurement result, m, 
and the value of the message bit b, it is the eavesdropper's intention to infer the value 
of m. This is a different question than the one which Fuchs et al answered, which was 
to determine the state in which Bob prepared the particle. 

In order to determine which measurement result was found by Alice, on a particular 
shot, we will assume without loss of generality that Eve uses a symmetric probe for 
eavesdropping. The unitary evolution of the coupled particle and probe systems states 
is characterized by 

Vl-d|0) ® |xoo) + Vd\l) ® \xoi) 
Vd\0) ® |xio) + Vl - ® Ixn) 
Vl-d\+) <g> | X ++) + Vd\-) ® |x+-) 

v^l-} ® ix-+) + VT=d|-> ® Ix— > 

subject to the conditions 

<Xoo|xio) = (Xoilxu) = (xoolxoi) = <Xio|Xn> = , 

<x++lx-+) = (x+-\x—) = (x++lx+-) = (x-+lx— ) = , 

(Xoo|xii) = (xnlxoo), (xoilxio) = (xiolxoi) , 

(x++lx— ) = (x— lx++}> <x+-lx-+) = (x-+|x+-) , 

d = 1 - (XoolXn) 

1 - (XoolXn) + (Xoilxio) 

When this type of evolution occurs, the state of the particle pi (i — 0, 1, +, — ) evolves 
into p'i = (1 — 2d)pi + dl with < d < 1/2. The probability that there will be a mismatch 
on a particular shot, given that Alice and Bob have a matching basis, is d. 

Let us now focus on the case when Alice makes the measurement corresponding to az 
and finds the result m = +1. The state of the probe that results from Bob preparing the 
particle in each of the four possible initial states is shown below. We use the notation 



|i)®IV»> 

1+) ® \rp) 

|->®IV) 
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rV CT ,m,pi) to indicate the resulting state of the probe given that Alice's measurement 
corresponded to 01 (with I = 1,3) and that she found the result m after Bob prepared 
the particle in the state pi (where i = 0, 1, +, — ). These states are the following 

r , (<r 3 ,m=+l ) p ) = |X00)(X00| 

r(o- 3 ,m=+i, W ) = lxio)(xio| 

r (o- 3 ,m=+i, P+ ) = (1 - d)|xoo)(xoo| + d|xio)(xio| 



+ v / d(l - d)[|xoo)(xio| + |xio)(xoo|] 
r (CT3 , m=+ i,p_) = (l-rf)|xoo)<Xoo| + rf|xio)(xio| 



-Vd(l-d)[|xoo>(xio| + |xio)(xoo|] . 

The probability for the event (ai,m,pi) to occur is easily calculated from the fact that 
Alice is equally likely to make either measurement, Bob is equally likely to prepare each 
of four initial states, and the unitary evolution U is designed so that each initial state of 
the particle pi evolves into p\ = (1 — 2d)pi + dl: 

r (<r 3 ,m=+i,tt>) occurs witn probability 1 - - , 
r( CT 3, m =+i iP1 ) occurs with probability ^, 
^{a 3 ,m=+i,p + ) occurs with probability i, 

r( - 3jm= +i ) p_) occurs with probability i. (7) 

We can also write down the final probe states given that Alice's measurement corre- 
sponded to 1T3 and found the result m = — 1, 

^(a 3 ,m=-l,p ) = IXoi)(xoi| 

r( CT3 , m= _i, pl ) = IxiiXxnl 

r (CT3 , m= -i, p+ ) = d|xoi)(xoi| + (1 - d)|xii)(xn| 

+ v /rf(l-d)[lx»i)<Xii| + IXii)(X0i|] 
r (CT3 , m= -i, p _) = d|xoi)(xoi| + (1 - d)|xii)(xn| 

-Vrf(i-d)[|xoi)(xn| + lxiiXxoi|] ; 

along with the probabilities for the events to occur which make these the final probe 
states: 

r , (<r 3 ,m=-i,/> ) occurs with probability ^, 
r( CT3im= _ liP1 \ occurs with probability 



2 ' 

r( CT3im =_ ljP+ ) occurs with probability -, 

r( CT3jm =_ l p _) occurs with probability i. 

If Alice makes a measurement of 0-3 and finds the result m — +1, Eve's best descrip- 
tion of the state of the probe r( CT3 m=+1 ), since she is ignorant of the state in which Bob 



20 



prepared the particle, is described by 
r( CT3 , m=+ i) 

- 1 ~ d r + i r + ir + ir 

2 (o-3, + 1,po) • 2 (CT3.™=-l.Pl) "t" 4 (°"3,m=-l,p+) ~T .A (0-3 ,m = - l,p_ ) 

= (1 - d )lxoo)(xoo| + d|xio)<Xio| ■ 

Similarly, if Alice makes a measurement of 03 and finds the result m = — 1 then Eve's 
best description of the state of the probe system is 

r (CT 3, m= -i) = rf|xoi)<xoi| + (1 - d)lxn)(xii| • 

So the task that Eve is left with, once she learns that Alice made the measurement 
corresponding to 03, is to distinguish between these two equiprobable probe output 
states, r( CT3i+ i) and Tr a3> _ 1 \. But these two final probe states are related to the states 
To and Ti by a unitary transformation. For the unitary operator 

V = (f - 2d)(\r, 1 )( Vl \ + \T]3)(V3\) + 2^d(l-d)(\ Vl ){ m \ + \m)(vi\) , 

rv 3 , +1) =vr v i 
r (CT3 , +1) = vTiV* . 

The measurement that optimally distinguishes between these two equiprobable mixed 
states is {VE 1 V\VE 2 V\VE i V\VE 4 y' 1 }, where the £Vs are the operators that are 
used by Fuchs et al to optimally distinguish between the states To and Fi. The probabil- 
ity for the four different possible measurement outcomes that Eve may get, given that the 
probe is in the state F( (T3i+1 ) = VToV' or Y^^x) = VFiV', are the same as those shown 
in TableU We can again apply Bayes' rule Pr(r (CT3 , ±1) \E t ) = \ Pr( J B 1 |r {(T3i±1) )/ Pr(£' i ) 
to determine these probabilities that arise in the calculation of the mutual information. 

The same thing occurs when Alice's measurement corresponds to crj, due to the 
symmetry of the probe and the final state of the particle as it reaches Alice. That is, the 
evolution of the probe system requires Eve to distinguish between two different mixed 
states of the probe system, 

r (CT1 ,+i) = (1 - d)\x++)(x++\ + d\x-+)(x-+\ 

and 

iWi) =d| x +-Xx+-l + (i-rf)lx— ><x— I ■ 

Furthermore, there exists a unitary operator W so that the measurement described by the 
operators {WFtW^, WF 2 W\ WF 3 W\ WF4W''} is the best for distinguishing between 
these two mixed states. Furthermore, the probabilities of the various outcomes match 
those that occurred when Alice made the measurement corresponding to 0-3. 

This proof is dependent upon two points: First, that the requirements imposed by 
our implementation of the symmetric probe do not hinder the generality of this analysis. 
Second, that the measurement found by Fuchs et al is the best way to distinguish between 
two equiprobable mixed states Fo and Ti , and therefore the related measurement can best 
distinguish between the equiprobable states F( CT3i+1 ) = VTo^ and r^^y = VFiVK 
This concludes the proof on the optimal eavesdropping activity. 
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